Merge yara content in a single file

radareorg · Oct 23, 2024 · 38bf334 · 38bf334
1 parent b31ad9c
commit 38bf334
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -10,6 +10,6 @@ Please contribute by updating and improving the contents.
 * [Github](https://github.com/radareorg/radare2-book)
 * [Read it Online](https://book.rada.re/)
 
-Read the [CONTRIBUTING.md](https://github.com/radareorg/radare2-book/blob/master/CONTRIBUTING.md) guidelines before submiting a pull request to the github repository.
+Read the [CONTRIBUTING.md](https://github.com/radareorg/radare2-book/blob/master/CONTRIBUTING.md) guidelines before submitting a pull request to the github repository.
 
 Thanks!
diff --git a/src/r2yara/intro.md b/src/r2yara/intro.md
@@ -98,3 +98,71 @@ SHA256_Constants
 ```
 
 As soon as a pattern is identified, a flag is created at the pattern address.
+
+## Rule generator
+
+r2yara allows the creation of YARA rules inside radare2 with the `yrg` group of commands:
+
+```console
+[0x00000000]> yrg?
+Usage: yrg [action] [args..]   load and run yara rules inside r2
+| yrg-          delete last pattern added to the yara rule
+| yrg-*         delete all the patterns in the current rule
+| yrgs ([len])  add string (optionally specify the length)
+| yrgx ([len])  add hexpairs of blocksize (or custom length)
+| yrgf ([len])  add function bytepattern signature
+| yrgz          add all strings referenced from current function
+```
+
+The current state of the YARA rule can be displayed with the `yrg` command:
+
+```console
+[0x00000000]> yrg
+WARN: See 'yrg?' to find out which subcommands use to append patterns to the rule
+rule rulename : test {
+  meta:
+    author = "user"
+    description = "My first yara rule"
+    date = "2024-10-22"
+    version = "0.1"
+}
+```
+
+Let's assumed we have found an interesting string during reversing:
+
+```console
+[0x00132700]> ps
+expand 32-byte k
+```
+
+To add into this pattern to the current YARA rule, the command `yrgs` can be used together with the length of the pattern to add:
+
+```console
+[0x00132700]> yrgs 16
+[0x00132700]> yrg
+rule rulename : test {
+  meta:
+    author = "sylvain"
+    description = "My first yara rule"
+    date = "2024-10-22"
+    version = "0.1"
+  strings:
+    $ = "expand 32-byte k"
+  condition:
+    all of them
+```
+
+The rule parameters can be changed in the configuration. For example to change the name of the rule, use the following command:
+
+```console
+[0x00132700]> e yara.rule = Salsa20
+```
+
+Once the rule is ready, it can be added to other active YARA rules:
+
+```console
+[0x00132700]> yr+
+INFO: Rule successfully added
+[0x00132700]> yrl
+Salsa20
+```